Home · libreswan/libreswan Wiki · GitHub

Home · libreswan/libreswan Wiki · GitHub
Skip to content
You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
Dismiss alert
libreswan
libreswan
Public
Notifications
You must be signed in to change notification settings
Fork
263
Star
941
Jump to bottom
Andrew Cagney edited this page
Oct 28, 2025
15 revisions
Libreswan
The Libreswan Project
Libreswan is an Internet Key Exchange (IKE) implementation for Linux,
FreeBSD, NetBSD and OpenBSD. It supports IKEv1 and IKEv2 and has
support for most of the extensions (RFC + IETF drafts) related to
IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and
many others.
Libreswan was forked from Openswan 2.6.38, which was forked from
FreeS/WAN 2.04. See the CREDITS files for contributor
acknowledgments.
It can be downloaded from:
A Git repository is available at:
License
The bulk of libreswan is licensed under the GNU General Public License
version 2; see the LICENSE and CREDIT.* files. Some smaller parts
have a different license.
Installing
A pre-built Libreswan package is available on the following OS
distributions: RHEL, Fedora, CentOS, Ubuntu, Debian, Arch, Apline,
OpenWrt and FreeBSD. On NetBSD the package sources are in
wip/libreswan.
Unless a source-based build is truly needed, it is often best to use
the pre-built version of the distribution you are using.
Installing from Source
Dependencies
There are a few packages required for Libreswan to compile from
source:
For Debian / Ubuntu / Mint
apt-get install build-essential pkg-config \
bison flex libnss3-dev libnss3-tools libevent-dev \
libunbound-dev libpam0g-dev libcap-ng-dev \
libldns-dev xmlto libcurl4-openssl-dev
For Fedora/CentOS-Stream/RHEL/AlmaLinux/RockyLinux etc.
dnf install audit-libs-devel bison curl-devel flex \
gcc ldns-devel libcap-ng-devel libevent-devel \
libseccomp-devel libselinux-devel make nspr-devel \
nss-devel pam-devel pkgconfig systemd-devel \
unbound-devel xmlto
Alpine Linux:
aph add mandoc mandoc-doc apk-tools-doc bison \
bison-doc bsd-compat-headers coreutils coreutils-doc \
curl-dev curl-doc flex flex-doc gcc gcc-doc git git-doc \
gmp-dev gmp-doc ldns-dev ldns-doc libcap-ng-dev \
libcap-ng-doc libevent-dev linux-pam-dev linux-pam-doc \
make make-doc musl-dev nspr-dev nss-dev nss-tools \
pkgconfig sed sed-doc unbound-doc unbound-dev \
xmlto xmlto-doc
FreeBSD:
pkg install gmake git pkgconf nss libevent unbound bison \
flex ldns xmlto gcc
NetBSD:
pkgin install git gmake nss unbound bison flex ldns xmlto pkgconf
OpenBSD:
pkg_add gmake nss libevent libunbound bison libldns xmlto \
curl git llvm%16
Building from scratch into /usr/local
GNU Make is used:
gmake
sudo gmake install
If you want to build without creating and installing manual pages, run:
gmake base
sudo gmake install-base
Building for RPM based systems
Install requirements for rpm package building:
dnf install rpm-build rpmdevtools
The packaging/ directory is used to find the proper spec file for your
distribution. Simply issue the command:
make rpm
You can also pick a specific spec file. For example, to build for
CentOS8, use:
rpmbuild -ba packaging/centos/8/libreswan.spec
Building for DEB based systems
The packaging/debian directory is used to build deb files. Simply
issue the command:
make deb
Starting Libreswan
The install will detect the init system used (systemd, upstart,
sysvinit, openrc) and should integrate with the linux distribution.
The service name is called "ipsec". For example, on CentOS Stream 9,
one would use:
systemctl enable ipsec.service
systemctl start ipsec.service
If unsure of the specific init system used on the system, the "ipsec"
command can also be used to start or stop the ipsec service. This
command will auto-detect the init system and invoke it:
ipsec start
ipsec stop
Status
For a connection status overview, use:
ipsec trafficstatus
For a brief status overview, use:
ipsec briefstatus
For a machine readable global status, use:
ipsec globalstatus
Configuration
Most of the libreswan configuration is stored in /etc/ipsec.conf and
/etc/ipsec.secrets . Include files may be present in /etc/ipsec.d/
See the respective man pages for more information.
NSS initialisation
Libreswan uses NSS to store private keys and X.509 certificates. The
NSS database should have been initialised by the package installer.
If not, the NSS database can be initialised using:
ipsec initnss
PKCS#12 certificates (.p12 files) can be imported using:
ipsec import /path/to/your.p12
See README.NSS and
certutil --help
for more details on using NSS and
migrating from the old Openswan
/etc/ipsec.d/
directories to using
NSS.
Upgrading
If you are upgrading from older Libreswan versions, Libreswan 5.x you
might need to adjust your config files, although great care has been
put into making the configuration files full backwards compatible.
See 'man ipsec.conf' for the list of options to find any new features.
You can run
make install
on top of your old version - it will not
overwrite your your
/etc/ipsec.*
configuration files. The default
install target installs in
/usr/local
. Ensure you do not install
libreswan twice, one from a distribution package in /usr and once
manually in /usr/local.
Note that for rpm based systems, the NSS directory changed from
/etc/ipsec.d to /var/lib/ipsec/nss/
Help
Mailing lists:
The mailing lists, including archives are at
Wiki:
Libreswan's wiki is at
. It
contains documentation, interop guides and other useful information.
IRC:
Libreswan developers and users can be found on IRC, on
irc.libera.chat #libreswan
Bugs
Bugs can be reported on the mailing list
swan-dev@lists.libreswan.org
or using our bug tracking system, at:
Security Information
All security issues found that require public disclosure will receive
proper CVE tracking numbers (see
) and will be
co-ordinated via the vendor-sec / oss-security lists. A complete list
of known security vulnerabilities is available at:
Please contact
security@libreswan.org
or:
if you suspect you have found a security issue or vulnerability in
libreswan. Encrypted email can be received encrypted to the libreswan
OpenPGP key. We strongly encourage you to report potential security
vulnerabilities to us before disclosing them in a public forum or in a
public security paper or conference.
Development
Those interested in the development, patches, and beta releases of
Libreswan can join the development mailing list
swan-dev@lists.libreswan.org
or talk to the development team on IRC in
#libreswan on irc.libera.chat
For those who want to track things a bit more closely, the
swan-commits@lists.libreswan.org
mailing list will mail all the commit
messages when they happen. This list is quite busy during active
development periods.
Documentation
The most up to date documentation consists of the man pages that come
with the software. Further documentation can be found at:
and the wiki at:
FAQ
Build Issues
Common Error Messages
Implemented Standards
HOWTO
Additional ipsec.conf documentation
AWS Mesh
Configuration examples
Confuse !?@: github wiki
Enterprise cloud encryption
Entropy matters
EoIP shared ethernet LAN using IPsec
High Availability Fallover VPN in AWS
Host to host VPN
Host to host VPN with PSK
IKEv1 XAUTH with FreeOTP and FreeIPA
IKEv1 XAUTH with Google Authenticator One Time Passwords
Libreswan as client to a Cisco ASA or VPN3000 server
Microsoft Azure configuration
Migrate from IKEv1 DPD to IKEv2 LIVENESS
openswan to libreswan migration
Opportunistic IPsec
Opportunistic IPsec using LetsEncrypt
Pluto and DNSSEC
Podman fedora rawhide build
Read status output
Route based VPN using VTI
Route based XFRMi
SElinux and Labeled IPsec VPN
Subnet extrusion
Subnet to subnet using NAT
Subnet to subnet VPN
Subnet to subnet VPN with PSK
Unauthenticated Opportunistic IPsec
Using Apache to serve PKCS
Using NSS Hardware Tokens
Using NSS with libreswan
VPN server for remote clients using IKEv1 with L2TP
VPN server for remote clients using IKEv1 XAUTH with Certificates
VPN server for remote clients using IKEv1 XAUTH with PSK
VPN server for remote clients using IKEv2
VPN server for remote clients using IKEv2 split VPN
GSoC Contributor Guidance
GSoC 2026 Code Project Ideas
Completed Projects
Extend RFC 7427 Signature Authentication support to IKEv2 with ECC EDDSA support
Extend RFC 7427 Signature Authentication support to IKEv2 with ECDSA
Extend RFC 7427 Signature Authentication support to IKEv2 with EDDSA
IKE Intermediate Exchange
IKEv2 Interop testing with OpenBSD
Libreswan Opportunistic IPsec using LetsEncrypt
Managing Interface
Postquantum Preshared Keys
RFC 5685 Redirect Mechanism
RSA PSS Support in compliance with RFC 7427 and RFC 8247
Session Resumption
TCP encapsulation of IKE and IPsec
IRC
History
Testing
2017 NG
Docker
Namespace
Namespace Crib Sheet
Namespace Magic
Topology
KVM Test Framework
1. Setup The Host
2. Configure Testing
3. Compile Libreswan
4. Test Libreswan
5. Accessing The Console
6. Maintenance and Internals
Bisecting
Debugging Pluto
Logging In Using SSH
Performance
Running A Custom Kernel
Running A Single Test
Running In The Background
Setup a Web Server
Testing Old Branches
Updating Test Results
Hacking
Documentation
Git, GitHub, and Pull Requests
Merging GitHub Pull Requests
Programming Conventions
Internals
3.14 X509
Benchmarking and Performance testing
Cipher suites and algorithm support
Cloud OE ideas
Compiling with AddressSanitizer
Compliance of RFC 7427 Signature Authentication in IKEv2
Coverity
Cryptographic Acceleration
Developer links strongswan android
Discouraged or forbidden C functions
IKEv2 Child SA
IKEv2 CP and EAP support
Introduction
Libreswan xfrm kernel support
Logging cleanup
New OE
Pluto
Pluto packet processing
Proposed ipsec ca command
Retransmit timings
Road Map
SAref code
Setting up system for debug logging
stf status
Travis
Unbound
Uncrustify
Use Cases and Requirements document
Use Cases and Requirements document for ECC ECDSA support
XFRM Interface Development Notes
XFRM pCPU
XFRM pCPU RSS
Security
Crypto boundary and certification
Libreswan and Heartbleed
Libreswan and TunnelCrack
Vulnerabilities
Meetup
2013 Helsinki
2014 San Francisco
2014 Toronto
2018 Toronto
Support
GSoC Contributor Guidance draft
This Sidebar was generated using
make
Clone this wiki locally
You can’t perform that action at this time.